Skip to content

Trending tags

Authorities warn of 3ve ad fraud operation

Adam Pilkey

28.11.18 3 min. read

Today, US-CERT, in cooperation with the FBI and US Department of Homeland Security, issued an advisory about a major online ad fraud ring. “3ve” is a cyber crime operation that used malware and hijacked IP addresses to direct internet traffic from roughly 1.7 million IPs toward ads they controlled, lining their pockets with fraudulently obtained digital ad revenue.

3ve uses two separate botnets. The Boaxxe botnet, which is spread by malicious email attachments and drive-by downloads, is used as a proxy for fraudulent ad requests sent from a data center located in Germany that’s controlled by the attackers.

The Kovter botnet, also spread through drive-by downloads and malicious email attachments, runs a hideen browser in infected computers. Attackers then use their command and control infrastructure to direct traffic from the hidden browsers to their ads.

F-Secure Researcher Paivi Tynninen studied 3ve’s malware campaigns and shared her insights with a coalition of law enforcement and IT organizations that dismantled the botnets in a global takedown operation. Paivi characterizes 3ve’s tactics as typical of modern cyber criminals.

“3ve blasts out failed delivery notification spam, which is a common attack vector these days. Users open an attachment or click a link and end up infected with Kovter, Boaxxe or even both,” Paivi explains. “3ve also uses malvertising that redirects users to fake software updates and tricks victims into installing Kovter, which is a fairly popular social engineering tactic.”

Paivi also says 3ve briefly tried using exploit kits, but like many other attackers, had little success.

“Exploit kits have been in decline for years. 3ve and similar cyber criminals are relying more on spam these days,” says Paivi.

Ad fraud might not instill the same sense of dread in end users as threats like ransomware. But it’s incredibly prevalent and a big moneymaker for criminals. A 2016 study projected that ad fraud revenues would balloon to 150 billion dollars per year by 2025.

And unlike ransomware, ad fraud is often able to stay under the radar, allowing cyber criminals to operate undetected.

But end users shouldn’t delude themselves into thinking that 3ve isn’t their problem. Paivi says the spam campaigns she tracks often package additional malware in their spam emails.

“We’ve observed spam campaigns bundling ransomware, banking trojans, and infostealers along with Kovter and Boaxxe. It’s fairly common for spammers to give themselves a few options for compromising targets,” says Paivi. “And once a device is part of a botnet, it leaves them open for future attacks. So users should avoid risking any type of intrusion or compromise.”

On a more positive note, users can help ensure 3ve’s operation stays dead by ensuring they remove any traces of the group’s malware from their computers, and prevent themselves from future infections by following the same best practices that protect them from most threats.

-Use trustworthy security software that provides comprehensive protection for your devices.

-If you aren’t using security software and worry about malware infections, please check your device using F-Secure Online Scanner. It’s free and identified by US-CERT as an effective remediation tool. And tell your friends, family members, and acquaintances to help fight cyber crime by doing the same.

-Be careful when clicking links or opening attachments you receive in your email. Email spam is a huge problem and a popular way to spread malware (check out this post for tips on how to spot phishy emails).

-Use strong, unique passwords. This will make it more difficult for hackers to compromise your online accounts.

-Always update your operating system and software.

Adam Pilkey

28.11.18 3 min. read


Highlighted article

Related posts


Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.